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Abstract 

We propose a decision procedure for analysing security of quantum cryptographic protocols, combining 
a classical algebraic rewrite system for knowledge with an operational semantics for quantum distributed 
computing. As a test case, we use our procedure to reason about security properties of a recently developed 
quantum secret sharing protocol that uses graph states. We analyze three different scenarios based on the 
safety assumptions of the classical and quantum channels and discover the path of an attack in the presence 
of an adversary. The epistemic analysis that leads to this and similar types of attacks is purely based on 
our classical notion of knowledge. 

Keywords: Quantum cryptography, distributed measurement calculus, algebraic information update. 



1 Introduction 

Quantum communication is an inseparable part of quantum computing: it offers so- 
lutions to the risks caused by the exponential speed-up in the power of adversaries, 
which is in turn caused by quantum algorithms. While some advances have been 
made in the area of formal verification of quantum communication protocols [11] , no 
applicable formal framework has yet been suggested for their automatic cryptanal- 
ysis. This is contrary to the fact that, similar to the situation in classical security, 
attacks have been discovered on proven-to-be-safe quantum protocols. 

In this paper, we present a decision procedure to verify wether a protocol sat- 
isfies an epistemic security property. Our procedure derives knowledge properties 
of agents from the set of dynamic and epistemic traces of the protocol. The dy- 
namic traces are generated from the protocol specification by operational rules of 
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distributed measurement calculus (DMC) [5]. These are then expanded to the epis- 
temic traces using appearances of agents about the actions of the protocol. The 
appearances are derived from the safety assumptions of the communication chan- 
nels according to a set of rules. Our notions of knowledge and time are classical 
and have been used in the formal analysis of classical protocols, for example in the 
Halpern style models of [14,7] and in the algebraic Epistemic Systems of [2,17]. 

Both the DMC model and the algebra have been previously used to analyze the 
security of quantum key distribution (QKD) and its attacks [7,8,16]. The setting of 
this paper has advantages over both these attempts. First, we rely on the already 
existing rules of the semantics of DMC, as opposed to adding axioms for quantum 
mechanics to the algebra as pursued in [16]. Second, we use the algebraic axiomatics 
of dynamic and epistemic adjunctions to derive knowledge properties of the protocol, 
as opposed to model-checking them by traversing the tree of the protocol as done 
in [7,8]. Third, we set the actions of the adversary in a compositional way using 
the appearance maps of the algebra, as opposed to ad-hocly adding them to the 
specification of the protocol as suggested in [7,8] . 

We prove that our decision procedure is sound and terminating with regard to 
the pair of a DMC model and the algebraic axiomatics of Epistemic Systems. We 
apply our decision procedure to a new quantum secret sharing (QSS) protocol, which 
is based on graph states and has been proposed recently in [12]. For this protocol, 
we develop epistemic properties and prove them for three kinds of assumptions 
on the quantum channels: safe, unsafe with non-suspicious agents, and unsafe with 
suspicious agents. We show that in the second case, the protocol does not satisfy its 
desired epistemic property and is thus not secure, moreover, we discover the path of 
an intercept-exchange attack that caused this insecurity. A full analysis of the safety 
assumptions of all the channels and their impact on the security properties needs 
automation, which constitutes on going work. Also, we have only been working 
on a one-round basis and indeed, for a full analysis of protocols one needs to run 
the protocol in many runs and then use probabilities, for instance on the knowledge 
modalities. This would be a natural and exciting extension of the currently proposed 
framework. 

In a nut shell, our framework is obtained by merging the model checking ap- 
proach of [8,7] and the algebraic axiomatics of [16]. The former is based on a 
distributed extension [5] for an assembly language [6] that universally models com- 
putations of the one way model. Its knowledge operator is defined over Kripke 
structures in the style of Fagin et al [10] by using equivalence relations on the 
states. Reasoning about properties of a protocol is done on the state space of this 
structure using a logic with temporal and epistemic operators. The latter is based 
on the Stone-like duals of these relational systems and moreover, following [4], a 
quantale structure is assumed on the actions. This setting consists of a pair of a 
quantale of classical and quantum actions and its right module of bits and qubits in- 
volved in a protocol. The pair is endowed with a family of join-preserving maps, one 
for each agent involved in the protocol. The right adjoints to these endomorphisms 
give rise to a very useful notion of knowledge, both on propositions of module and 
actions of quantale. 
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2 Decision Procedure 

The procedure has three main steps. First, we write as program in the language 
of the distributed measurement calculus (DMC) to implement the specification of 
the quantum protocol and generate a set of dynamic traces for it. This is done 
by executing the rules of the operational semantics, of DMC Second, we write 
formulae with dynamic and epistemic modalities to expresses security properties of 
the protocol. This is done in the algebraic syntax of Epistemic Systems. Finally, 
we apply an algebraic rewrite system to decide wether the protocol satisfies the 
properties. 

Step (1) Specify and produce dynamic traces in DMC. 

Programs of DMC are implemented as networks of agents. A network of agents is 
denoted by M and is defined as follows 

J\f = \ip) || A(Q).£ | B(Q').S' . . . . 

It consists of a set of agents acting in parallel (denoted by |) on a given entanglement 
resource An agent A(Q).£ is specified by a name A, a set Q of qubits it 

owns, and an event sequence 8. The event sequence can be a computation in the 
measurement calculus, a classical message reception clx and sending c\y, or a qubit 
reception qc?q and sending qclq' . Note that, contrary to the original definitions 
in [5] we now write specifications from left to right; also agents may have extra 
classical parameters a, written as A(a, Q). As an example, here is one round of 
Ekert's implementation of QKD: 

QKD = E 1 2\\A{a,l)\Hf;M 1 -c\a;clb] | B(6, 2).[H\- M 2 ; c?a; c!6] . 

The set of traces of a program are generated by following the rules of the small- 
step semantics as specified in [5], but moreover, we work with projections, annotate 
actions with agents that performed them, and name the preparation actions of 
the initial entanglement resource and the distribution actions of qubits. For 
example, P^' a stands for the spin a projection of qubit i done by agent A and Nf 
is the preparation of qubit i by agent C. The preparation actions are made explicit 
by juxtaposing them to the left most of the traces; for QKD the entanglement 
resource £12 is created by applying N±; N§; E± 2 to a 2-qubit system qi ®q2, where 
N is preparation in the |+) state and C is the agent who prepared the entanglement 
resource. Distributing these qubits to agents A and B is denoted by a quantum 
broadcast action qc!?^c/j, which stands for agent C sending qubit qi to agent X and 
agent X receiving it from him. This is a shorthand for a quantum send qcl^qi and 
a quantum receive qc?^^. Similarly, we also shorthand a classical send c!^a and 
receive c?^a to a broadcast c!?^a. 

According to these conventions two of the four possible traces for a successful 
run of QKD become as follows 

vr = Af ; Af ; E%- qc!?^ qf, qc!?g g 2 ; Pf' X ; P*> X ; c!?^ a; c\l B A b , 

tt' = Af ; ATf; E%- qc!?^ qr, qc!?g q 2 ; P?' Z ; P^ Z c!?^ a; c\l B A b . 
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Step (2) Write security properties in Epistemic Systems. 

The input to the rewrite system is an expression of the form 

I h r 

where I is the initial state and r is an epistemic property that contains the disjunc- 
tion of dynamic traces produced above. An example is the following expression 



qi h [t:\UaUas 



which is read as 



After running the trace n of the protocol on qubit q^, agent A knows 
that B knows that the value of bit i is j. 



The I and r expressions are generated as follows: 



» The initial state I is made of propositions m that are formed by closing 
atomic classical and quantum variables S? and qi under -i, A, V and logical 
constants _L, T. The variables are generated as follows 

K ::= 4\Ql\H® 1w 

• The epistemic property r is generated as follows 

r ::= m \ [jr]m | □ J 4(m) 

where cu(m) is the epistemic modality and for tt a dynamic trace [rrjm is 
the dynamic modality 

One such expression for Ekert's QKD is 



JVf ; ivf ; EC 2 ; qc!?^ 9l! qc!?g q 2 ; P?' X ; P^ X ; c!?^ a; c\l B A b] □^□ B ( S ?As° 



Proving this property together with a permutation of it for B, that is 



qi ®q2 



iVf; Ng; PF 2 ; qc!?^ qr, qc!?g g 2 ; P* x ; P 2 B c!?^ a; c!?^ bl D B n A (^4 



will imply that A and B share a piece of data, which is the results of each other's 
measurements, that is (sj A s^). The sharing property is expressed by the nested 
knowledge property, that A knows that B knows it, and vice versa 3 . That the 
data is secret is proved by showing that an adversary E does not know it, that is 
the following expression 



Af ; Af ; E^ 2 ; qc!?^ q r , qc!?g </ 2 ; P^; P* ' X ; c!?^ a; c!?^ 6 ^(sM 



3 It is arguable wether one has to nest the knowledge modalities infinitely many times and thus use the 
common knowledge operator to express the sharing property, but for now we restrict ourselves to a two 
level nesting. 
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Step (3). Generate Epistemic traces and verify the property. 

We proceed by analyzing uncertainty of agents about the states and actions of 
protocols. These are referred to as appearance maps and are denoted by Ja for 
an agent A. They encode all possible actions or propositions that appear possible 
to an agent, given the action that is happeneing or the proposition that is true in 
reality, we refer the reader to [2,17] for discussions and examples. Here, we treat 
these maps more practically and introduce a general set of rules to generate them. 
These rules are presented below. 

(i) The agents have no uncertainty about the steps of the protocol they are in- 
volved in. 

(ii) Qubits are encoded as black boxes and thus appear as they are, that is as 
identity to all agents. Classical bits appear as either or 1 to agents. 

(iii) The owner of an action has no uncertainty about his actions, but is uncer- 
tain about other agents' actions. His appearances of these latter actions are 
generated by instantiating their variables. 

(iv) There is only one adversary present in each protocol. This adversary can 
intercept the unsafe channels, either quantum or classical, by stopping the 
messages, changing the content of the messages, creating new messages and 
sending them. On a quantum channel, the change of the content of the message 
is done by measuring the sent qubit and the creation of new messages by 
preparing fresh qubits. On the classical channel, the change is simply affected 
by reading and writing the values of the bits. 

(v) On the safe channels, the adversary can either be passive or not present at 
all. In the latter case, he cannot even see if messages are passing through and 
what is their content. In the former case, on a classical channel, he can see 
the value of the bits as well as the sender and receiver of each message, but 
cannot change anything. On a quantum channel, he can only see that a qubit 
is passing, but cannot see its state. 

(vi) Communication actions on a safe channel are either public or private announce- 
ments to a subgroup of agents. The former appears as identity to all agents, 
whereas the latter is identity only to the insiders in the group, and either as 
nothing or all possible choices to the outsider agents. On an unsafe channel, 
the announcement actions are treated as separate send and receive actions. 

(vii) Honest agents may suspect the interception actions of the adversary. If they 
do so, these actions appear to them as either happened or not. If they do not, 
they appear to them as the neutral action in which nothing happens. 

For example, the appearances of the projection action P 1 ' in our above example 
traces are as follows 



The appearances of the communication actions depend on the safety assumptions 
of the channel in which they take place. For example, if the channel is safe, they are 
treated as broadcasts otherwise as separate send and receive actions. We present a 
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detailed example on those in the last section. 

Due to space limits we cannot present the rewrite rules; they are similar to the 
system presented in [15] . By applying them, one first eliminates the logical connec- 
tives A, V, Da, [ ] an d then the classical and quantum communication actions. The 
output is a set of atomic expressions, defined as follows 

Definition 2.1 An expression I h r is atomic iff I is a quantum state followed by a 
sequence of atomic quantum actions and r is an atomic classical or quantum state. 

For instance, for a safe quantum channel, the atomic form of the our sharing prop- 
erty is 

(gi ® <h){N? ; Af; E? 2 ; P^ x - P^ x ) h s\ A s° 2 

These atomic expressions may contain new epistemic uncertainties and thus will 
need to be verified against our operational semantics. For this purpose, we introduce 
below the notion of a well- defined expression. 

Definition 2.2 An atomic expression / h r is well-defined iff I is derivable within 
the operational semantics of DMC. It is true iff r holds in all configurations resulting 
from I. An epistemic property holds for a protocol whenever all its well-defined 
atomic expressions are true. 

Proposition 2.3 For a protocol specification N and an expression I h r which is 
built from the dynamic traces of N , the process of deciding if the epistemic property 
in r holds for M is terminating and sound with regard to the pair of an Epistemic 
System and a DMC model. 

Proof. These follow from image fmiteness of appearances of actions and proposi- 
tions, together with soundness and termination of the rewrite system of Epistemic 
Systems and the DMC model [5,15]. 

3 Case study: quantum secret sharing 

We apply our procedure to the quantum secret sharing (QSS) protocol recently 
established in [12]. In secret sharing a dealer holds a secret bit which he wants to 
send to n players, such that at least k players are needed to reconstruct the secret. 
The problem is well-known in the classical settings and solvable for all (n, k). In the 
quantum case, only the (n, n) case has been solved for the GHZ-type entanglement 
[18]. The work in [12] uses instead graph states and thus is more suitable for 
modelling in our measurement-based setting. Moreover, it generalizes the quantum 
key distribution protocols and simplifies their proofs. We analyze and prove some of 
the epistemic properties of the QKS component of the (3, 5) case, where a particular 
graph state is used to establish a secret key between three players and the dealer 
in one go (as opposed to via several 2-party QKD protocols). This key will then be 
used to distribute a secret using the other components of the protocol. 
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The recource required for the protocol is the graph state shown above, henceforward 
called G(3, 5). It is prepared following the usual procedure for graph states, that is 

G(3, 5) = (7V i; . . . ; iV 5 ; iV 6 ; J] E {j ) ®? =1 ft ; , 

where is the set of edges. The protocol proceeds as follows: 

Step 1. The dealer prepares G(3, 5), sends each agent a qubit qi together with an 
agent identity i. 

Step 2. The dealer measures his qubit in the Y or Z basis randomly and broadcasts 
his measurement basis. 

Step 3. Each participating player measures his qubit in the X, Y or Z basis ran- 
domly, then broadcasts his identity and measurement basis. 

Step 4. Depending on these messages, each agent determines if the run was suc- 
cessful as follows: 

• If the participating agents are neighbours, then we have ijk = i(i + + 2); 
this is the case for the following measurement combinations 

Mq Mf Mf Mf and Mf Mf Mj Mf . 

• If they are in a so-called T-shape, we have ijk = i(i + + 3); this is the case 
for the following measurement combinations 

M%M*M]Ml and Mj Mj Mf Mjf . 

Step 5. For a successful run, measurement outcomes are correlated as sq = Si®Sj® 
Sfc. Players use their secure classical channels to exchange measurement outcomes 
and determine if s = sq, hence establishing a shared key with the dealer. 

We refrain from giving the full specification of the QSS network and move 
straight on to its traces, where we treat all the communication actions as broad- 
casts and later on break them to separate send and receive actions, as necessary and 
according to the safety assumptions of their channels. Whenever the subscript of a 
broadcast action is missing, e.g. in c\l D a it means that the broadcast is a public 
action that can be listened to by everyone. A typical trace for a successful run of 
QSS is as follows 



7 



D'HONDT AND SADRZADEH 



tt = Nf>; . . . ; iV 6 D ; U eij E Fj (preparation) 

(qc!?fgi) . . . (qc!?,?^) (private broadcast of qubits) 

pD,±a pAi,±b pAj,±c pA k ,±f (measurement projections) 

c!? D a; c\? Ai b; c\? Aj c; c!? Afe c (public broadcast of measurement bases) 

(c!?^ 1 a Si){c\l J \ 3 _ A Sj)(c!?4 fc 4 Sk) (private broadcast of player's mes. outcomes) 

Here a G {X, Y},b, c, f G {X, Y, Z} are measurement basis, qc!?f is the quantum 
message passing from D to A{ G {^4i, • • • ,^5} denoting the 5 players, and c!?^ 1 is 
the private announcement from player Ai to the group C {Ai, • • • , A5}. We omit 
the calculation of the secret key, which is determined by the following exclusive-or 
formula 

S = Si (B Sj (B 5^ 

Successful traces only depend on the chosen values for a, b, c and /; one example of 
such a trace for adjoining agents A\, A2 and A3, owning qubits 1,2 and 3 respectively, 
is as follows 



7T 



p D,+Z pAx-Z p A 2 ,-X p A 3 ,+Z. 
r Q r l r 2 r 3 ' 



Zl D ;Zl Al ;Xl A2 ;Zl A3 ; 



5.i Epistemic Properties 

We consider three cases: agents' heaven, adversary's heaven, and adversary's hell. 
In the first case the quantum channel is safe, in the second case it is not and the 
honest agents do not suspect it, in the third case it is not and the honest agents do 
suspect it. The other channels are assumed to be safe in all three cases. For each 
case, we show how the appearances of agents of actions in the dynamic traces are 
set. This is done according to the safety assumptions on the channel and our rules. 
Then we present some of the related epistemic security properties of each case. 

(i) Agents' heaven 

The appearance of the projections are set according to the rule (in) of appear- 
ances. Since the channels are safe, the communication actions on the quantum 
channel are treated as public broadcasts and by rule (vi) and for a an agent 
they are set as follows 

Uq^°q i ) = qc\? D gi 

That is, all the agents are fully aware of the broadcast action and thus have 
only one possibility in their appearance, the broadcast action itself. The com- 
munication actions on the classical channels are private announcements and by 
rule (vi) their appearances are set as follows, for (3 a subset of players 
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Men f s{) = { 



c\lfs\ at (3 



This says that the insider agents a G (3 who receive the sent bit sj, which is 
either equal to 1 or 0, are fully aware what has happened and thus have only 
one possibility about the private broadcast action, that is the broadcast action 
itself and thus their appearance is identity. But by rule (i) of appearances, the 
outsider agents a £ (3 are only aware that a bit has been privately broadcasted 
to the subgroup (3 and are uncertain about the value of that bit. So they 
consider it possible that either a bit with value 1 or a bit with value has 
been privately broadcasted to insider agents in (3. Thus their appearance is 
the choice of these two possibilities. 

Some of the epistemic properties of interest for our trace ir, allied players 
Ai G {A\, A2, A3}, joined with dealer a G {D,Ai,A2,A%} are as follows 

• The dealer knows his bit and binary sum of allied players' bits, i.e. 

□ D (sOA(s^©4 2 e4 3 ))- 

• Allied players moreover know the value of each single measurement, i.e. 

U Ai (sg AsJa4a s°) . 

• The dealer knows that the players know his bit and the players know 
that the dealer knows the sum of their bits, i.e. 

n D n Al 4 and n Al a D (s b i © 4 2 © s 3 3 ) • 

• The adversary does not know any of the above, i.e. 

-i\3e (sq A (sj 1 © s b 2 2 © S3 3 )) . 

• The dealer and the agents know the above, i.e. 

□ CT -D £ (s|]A(/ 1 1 ffi4 2 ffi4 3 )). 



(ii) Adversary's heaven 

In this case, the quantum channel is not safe and by rule (iv) the adversary can 
intercept the channel. By rule (v i) since the channel is not safe, we must break 
its broadcasts to separate send and receive actions. The appearances of these 
actions to the agents involved in them (e.g. the appearance of the sent action 
to the agents who received it) are not identities any more. The appearances 
for the send of a qubit are set as follows, where qj is a new qubit with j > 7 
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f qclf ft; qc?g ft; pf ' e ; iVf e ; qclf q 3 a' = E 
/ CT , (qclf ft) = | 

[qclf ft o.w. 

This says that neither the agents nor the dealer suspect that E intercepted 
dealer's sent qubit and thus their appearance of dealer's sent action is (wrongly) 
identity Where as in reality E did the following sequence of interception 
events, but they only appear to him as identity. 

qd» ft;qc? D ft;P. ;N-' ; qcl^ qj 

According to this sequence of events, E received the dealer's sent qubit ft that 
was meant to be received by agent i, measured it, then prepared a correspond- 
ing new qubit qj and sent it to agent i. For the corresponding receive action, 
it appears to the dealer that players received the qubit that he sent to them, 
/o(qc?^ qi) = qc?^ ft, whereas in reality they receive the qubit sent to them 
by adversary, /^.(qc?^ ft) = qc? s l qj. In case the eavesdropper is lucky and 
chooses the right projection for all three qubits he intercepts, he is able to 
derive the value of the key. In this case some of the epistemic properties of 
interest are 

• The adversary knows the shared key, i.e. \JeSq. 

• The players and the dealer wrongly think that he does not know this, i.e. 

Note that here the adversary has to be more lucky than in Ekert'91. This is 
because he has to intercept the qubits of three allied players instead of one, 
and has to choose from three measurement bases. 

(iii) Adversary's hell 

This is the same as above, but the players suspect adversary's actions, that is 
according to rule (vii), it appears to them either there was no interception or 
there was one and the above sequence of actions took place by the adversary. 
Thus we obtain 

/ Ai (qc!f ft) = qclf ft V (qclf ft; qc?g ft; Pf ' e ; N?> e ; qclf qj) 
Similarly, the dealer suspect adversary's actions on the receipt of his sent qubit 

Mqc?^ Qi) = qc?o Qi V (qc?g ft; Pf ' e ; Nf' e ; qclf qj- qc?^) 
In this case, an interesting epistemic property would be the following 



The dealer and the players are not sure anymore if the adversary 
knows their secret bit, and thus if the bit can be treated as a secret i.e. 
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3.2 Verifying Epistemic Properties 

As examples, we verify two properties: one from the agents' heaven and one from 
the adversary's hell. 

• Agents' heaven 

From this scenario, we verify the following property 



The atomic expressions are generated via the following rewritings, where c^'s 
denote the juxtaposed actions of tt 



®i =1 qi H [7r}a D a At Se ®i=iQi, * H U D U Al s° ~> 

~> fAjD(®t=iqi); fAifD(ai); • • • ; f A jD(a n ) I- sg. 

By rule (n) of appearances we have f Ai fD{®i=iqi) = ®f=i9i- By rule (if) and our 
assumptions on channels, we have fo((Xi) = «i for a quantum or broadcast 
communication action. By rule (vz) for communication between players we have 
/£>(c!?^*s^) = cll^si V c!?^sj. Similarly for the projection actions we have 

and 

f D {P^~ z ) = Pi u ' z v P/ 11 '^ v Pi 41 -"* v Pi 41 '^ v Pi 41 - 1 ' V Pi 41 '^ . 

The values for the /a/s are similarly set. Substituting these values in the above 
expression, we first eliminate the traces in which the bases of projections do not 
match the announced bases. Next we eliminate the communication actions from 
these traces whose content do not match the projections. As a result, we obtain 
a set of atomic expressions, of which only those satisfying s® = s^ 1 © s 2 2 ® s 3 3 are 
well-defined in DMC. An example (out of four) is 

(y) 6 a- N D - ■ N D - TT F D - P D >+ Z - p A t,+Z. p A 2 ,-X. p A 3 -Z , n 

This atomic expression is true, since in all its final configurations sq is 0, and thus 
our epistemic property holds for the secret sharing protocol. 

• Adversary's hell 

On the contrary, in the adversary's hell, one shows that the epistemic property 
□D^n^Sg does not hold and thus Sg is not treated a secret anymore. Moreover, 
we also discover paths of an intercept-change attack for each agent, for example 
the one for the player A\ contains the following sequence of actions 

\D o£ r>E,+Z AT E,+Z ,E nAi r) A 1 ,+Z 

■■■ jqcli 9i;qc?! qr,P l ; N 7 ; qc! 1 q 7 ; qc?^ 1 q 7 ; P 7 
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In this path, the adversary receives dealer's original qubit q\ that was meant to be 

E I Z 

received by agent 1, then measures it in basis Z by doing projection P 1 ' , then 
prepares a new qubit q-j according to his measurement result and sends it to agent 
1. The adversary turns out to be lucky and agent 1 picks the same measurement 
basis as him, that is Z and does the same projections. The classical result of this 
projection will for sure be the same as adversary's but might not the same as the 
dealer's. 

4 Conclusion 

In this article we proposed a new framework for formal analysis of security issues 
in quantum cryptographic protocols. Our framework combines an algebraic rewrite 
system with a specification language for quantum distributed computations. The 
former provides machinery to work with uncertainties of agents in a protocol in a 
compositional way, while the latter inherently encodes the rules of quantum me- 
chanics. Our framework was put to test in the analysis of a recent quantum secret 
sharing protocol based on graph states, where we proved some epistemic properties 
of the protocol in the presence and absence of an active adversary and discovered 
paths of an intercept-exchange attack. For a full analysis one needs to generate 
many more epistemic traces and the need for automation and software implemen- 
tation is gravely felt. A software implementation of the algebra [15] is already in 
place to handle part of the verification. The construction of a tool that automati- 
cally derives the traces and semantics of a protocol is currently underway. 
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